Updates: EasyRSA is no longer installed as part of openvpn, but you can install it through apt-get just like anything else. Just add “easy-rsa” to the list of things to install early on. It will end up in a different place as well, so the command to copy the scripts is now “sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa”

The export variables at the bottom of vars have moved around a little, there’s now only one copy of your email address, and CN is commented out at the very bottom by default. Just fill in the variables that are present, and leave CN commented out.

Now that the whole house is humming along, sharing files, downloading things, and backing everyone up, you might be wondering if there’s anything left that the Raspberry can do for you. The answer is yes. In this article, we’ll set up the Raspberry Pi to act as an OpenVPN server, allowing you to access your home network from anywhere. OpenVPN is an open-source, cross-platform, virtual private networking (VPN) application. VPNs let you route internet traffic through a secure, encrypted channel, back to a network that you trust and/or control. You may have used one in order to securely access resources on the network at your office when you’re on the road. Developers sometimes use them to simulate traffic coming into their network from outside for testing. You can add these same abilities to your home network so that you can get to your stuff from work, or a hotel, or anywhere else with internet access. Running your own VPN means that no matter where you get an internet connection from, you are effectively “at home”. You don’t need to worry about fellow patrons at the coffee shop listening in on your network traffic because the traffic between you and your VPN is highly encrypted.

Acknowledgements

Once again, I didn’t invent this stuff. Most of the information about how to set up OpenVPN comes from a whitepaper by Eric Jodoin of the SANS institute. That whitepaper was later paraphrased and simplified in a pair of posts by Lauren Orsini. Both are excellent reading, and go into far more depth about how all this stuff works than I plan to. I’m just putting it into the same format as the other posts in the series, and organizing them in a logical progression, building on top of the previous posts in this series.

Prerequisites

In order to connect to your home network’s VPN when you are away from home, you are going to need either a static IP address, or a dynamic IP resolution service like www.no-ip.org. My home router updates no-ip automatically, so I have not set up a program on the Raspberry Pi to do this. Other tutorials exist out there to handle this part.

Internet security

Warning: The explanation that follows is super-non-technical™, and probably wildly inaccurate in many important ways. I am not a security or cryptography expert, but this is, in layman’s terms, how internet security works. When you visit your bank’s website, and something in your address bar turns green, or grown a little lock, it means that someone at the bank went to some authority that we’ve all agreed to trust, and got a certificate that says “Yup these guys are the bank alright”, and installed it on the web server you’re talking to. As long as you trust the people that made the certificate to only give it to the company that paid for it, and as long as you trust the bank to only install the certificate on their own servers, then you have a way to prove that the server you’re talking to belongs to the company you think it does, or at least a company that the authority vouched for. Although I’m sure you trust your own word that the Raspberry Pi Home Server that you’ve been building is your own, your other computers are still going to want proof that the thing on the other side of the internet is your server, and not someone else pretending to be your server. That’s kind of the whole point of this exercise, after all. Since you trust yourself, you can act as your own “certificate authority” and make your own certificates. You then install your homemade certificates on both the server and the client, and they use that certificate to encrypt traffic back and forth between them.

Install OpenVPN

First things first, you’ll need to install the OpenVPN software onto the Raspberry Pi. You’ll also need the OpenSSL package in order to secure your connection later on. Installing both is as simple as…

sudo apt-get install openvpn openssl

That’s the easy part. Now comes the configuration. The installer has created some sample configuration files for us, and they’ll form the skeleton of the configuration. Copy the entire directory of sample configuration files like this:

Move to the bottom of the file, and change the defaults that are defined there to match your location and network. This will save you some time later on when you are asked to provide this information again for each user you set up. Mine looks like this:

Most of these can be anything you want, but the KEY_CN setting must be unique, so if you’re going to make more than one VPN server, give them different values. I’ve chosen to make my “Common Name” (CN) the same as the name of the server. KEY_NAME will affect the name of the resulting key file, but is otherwise arbitrary. The organization unit (OU) setting is not important for a small home network, so I’ve just gone ahead and used the server name again. Basically, you can just make all of these values the same thing, and you’ll be just fine. The last two settings have to do with smart cards, which we’re not even going to get into. Close Nano, saving the file (ctrl-x, y, enter)

Become a certificate authority

In order to create certificates, you’ll need… wait for it… a certificate. In this case, it’s a “root certificate”. This is the kind of thing that one of the trusted authorities out on the web would have. The “easy-rsa” package you installed earlier can generate such a certificate for you. Run the following commands to set up a key server. Notice that the “sudo su” command is being used here. You’re going to stay in “god mode” for pretty much the remainder of this post.

cd /etc/openvpn/easy-rsa
sudo su
source ./vars
./clean-all
./build-ca

This last command will prompt you for a lot of values, fortunately, you set up reasonable default values above, so you can just hit enter to accept them.

Note: Newer installations will say “Generating a 2048 bit RSA private key”. This default has changed since I originally published this article. Pay attention to what your installation says because you’ll need to know this in a minute. Also, 2048-bit keys take a LOT longer to generate, so your screen is going to look quite different than this screenshot.

When that finished, enter the following command, accepting the defaults again. You’ll get a couple extra questions this time. Make sure the “challenge password” is blank, and accept any other defaults.

./build-key-server RPHS

Answer yes to the “Sign the certificate?” and “commit?” prompts.

Generate keys

You may be able to just take your bank’s word for it that they are who they say they are, but VPN servers like, the one we’re building, want proof of the client’s identity as well. They won’t let just anyone in. You need to give a key to each device or user you want to allow to connect to the VPN server. You have a decision to make at this point. You could generate a unique key for each individual device that you want to connect via VPN, or you could take a shortcut and generate a key for each user. The difference is whether you expect to need to connect more than one device at the same time. If you don’t need to connect more than one device per user at the same time, generate a key named for the user. If you think users will need more than one device connected at the same time, I’d suggest naming the key after the device. Whichever you decide, generate a key like this:

./build-key-pass NAME

Accept the defaults again, leaving the challenge password blank. The PEM password, is the password you’ll need to connect using the key. Pick something nice and strong, but also something you won’t forget. If you want to be really paranoid, you could randomly generate one and keep it in a password safe. The choice is yours. Leave the challenge password blank again. Sign and commit the certificate when prompted. Almost done.

cd keys
openssl rsa -in NAME.key -des3 -out NAME.3des.key

Use the same password as you did before. You’ll have to enter it three times. Technically, the first time is a different password, but how are you supposed to keep them straight?

cd ..
./build-dh

You may need to wait a while for this last step. Sometimes you get lucky, and this step is short. sometimes you’re unlucky, and it takes a long time. You never know what kind of wait you’re in for up front. When it’s done, generate a hash-based message authentication code (HMAC). This is yet another layer of protection, and helps to prevent denial of service (DOS) attacks.

openvpn --genkey --secret keys/ta.key

Configure OpenVPN Server

Now it’s finally time to edit the OpenVPN configuration and tie up the loose ends.

nano /etc/openvpn/server.conf

You’ll notice that the editor is totally blank. That’s because this file doesn’t exist yet. Paste in the following text, substituting your own values for the highlighted values. You’ll need your Raspberry Pi’s IP address, the IP address of your router, and the name you used above when calling build-key-server.

Note: I have also highlighted the 8th line, where it says “dh2048.pem”. Older installations defaulted to a 1024-bit key, so you will need to adjust this if you’re working with an older installation. If you’re installing it for the first time, however, this should say 2048 these days. Just make it match what the build-ca step said above.

This script file needs to run every time the Raspberry Pi boots up in order to do us any good. Edit the /etc/network/interfaces file.

nano /etc/network/interfaces

Find the line that configures the wired ethernet port. If you are running your server wirelessly, then you’ll need to adjust accordingly. Insert a new line, indented underneath so that the result looks like this:

...
iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh
...

This will ensure that the firewall rules are applied to that network interface even before it has started up. Reboot the Raspberry Pi so that the rules are applied.

sudo reboot

Generating client keys

Connecting a VPN client to a remote server takes a bit of configuration, too. The OpenVPN client has to know where the server is, and it has to have a copy of the keys we generated earlier. All of this configuration gets wrapped up into a file with a .ovpn extension. You can create these by hand if you like, but Eric Jodoin, the author of the original SANS.org article was kind enough to write a script to do it for us. Create the script file.

nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

This is a new file, so it will be totally blank. Paste in the following:

Exit Nano, saving your changes (ctrl-x,y,enter) Once again, because this is a script, permissions will have to be altered to allow it to run.

chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

Create the Default.txt file to hold the default values the script will use. The casing isn’t important, but it must match what was specified at the top of the script file. I’m keeping the capitalized “D” just to keep it the same as anyone else who followed Eric’s instructions.

nano /etc/openvpn/easy-rsa/keys/Default.txt

Paste in the following, substituting your public IP address for the highlighted text. If you don’t have a static public IP address, you can use a dynamic name from a service like DynDNS or no-ip here as well. The “1194” is the standard port number OpenVPN uses, adjust as needed to match your network configuration.

Exit Nano, saving your changes (ctrl-x,y,enter) Execute the script to create a .ovpn file. Remember to use the user or device name you chose earlier when creating the client key. cd /etc/openvpn/easy-rsa/keys ./MakeOVPN.sh The result is a NAME.ovpn file in the /etc/openvpn/easy-rsa/keys folder on the Raspberry Pi. That’s great, but we need the key on the client machine. You can copy the file using a secure copy program like WinSCP, copy it to a flash drive and move it by hand, or any other number of ways to move a file around. Since this is my own private home server, I’m going to put the file on the data share, at least temporarily. Once the key is installed and working on the client, I’ll delete it from the server.

cp /etc/openvpn/easy-rsa/keys/NAME.ovpn /mnt/data/

Keys like this aren’t something you should leave lying around. On the other hand, you should probably have a backup of them somewhere. If you put them on a flash drive, go put it in a safe or something. Don’t let anyone get a hold of your keys, or they have a free pass into your home network, and you may not even notice it. You can always go back and generate new keys, delete the compromised ones, and continue on, of course.

Port forwarding

Before you’ll be able to connect to your home network from outside, you’ll need to set up your router to forward all traffic on port 1194 to the Raspberry Pi. I can’t tell you how to configure the firewall on your router at home because I don’t know what kind of router you have. An excellent resource that may have information specifically for your router is http://portforward.com/.

Client configuration

I’m using the OpenVPN client for Windows, but the instructions should be similar for other platforms. You can download open-source clients for Windows, and source tarballs for other systems from here. Note: Don’t try to download client software from the links on the front page of the OpenVPN site or you’ll just end up with “SecureTunnel”, a paid-subscription-based system that lets you do exactly what you’re already set up to do on your own. Get the .ovpn file that you generated on the Raspberry Pi over to the computer you’re going to connect from, and put it in the OpenVPN config folder. For Windows users, this should be C:\Program Files\OpenVPN\config.

Connecting the client

You’ll need to be somewhere other than on your own network for this next part. Otherwise you’re seriously crossing the streams, shutting down the containment grid, etc. Disconnect from your home network and tether yourself to a phone or something before continuing. Run the OpenVPN GUI application. It should have created a shortcut in your start menu for Windows 7 users, or on your app list for Windows 8 users. Run it, and it should pick up on the .ovpn file and open a connection. You’ll be prompted for the password you created earlier, and if everything is configured correctly, the OpenVPN icon in your notification area should turn green, and you’ll be effectively connecting to the outside world as part of your home network. There are, of course, many issues you could run into when using a VPN. Most of them are explained pretty well on the HowTo page of the OpenVPN site. One of the more vexing problems is that of disambiguating IP addresses between your home network, and the network you are connected to. See “Numbering Private Subnets” for more information.

What’s next

With this article complete, you’ve built a home server that’s covering all of the essentials. From here on out, we’ll be adding bells, whistles, fringe on top, etc. In the next post, we’ll add the LAMP stack, which forms the basis for most Linux-based web projects. If you want to run a website, a blog, or just a few web applications, you’ll probably need this.

106 Responses to Raspberry Pi Home Server: Part 11, OpenVPN

Hi Mel. I’m reading this and have one doubt about “ifconfig 10.8.0.1 10.8.0.2 “. This are point to point tunnels aren’t they? Actually if I would ask you can you connect simultaneously from two remote devices using the above config what would your answer be?

For instance if I have two remote Windows PC’s, can they be connected to the Raspberry VPN server simultaneously? Which IP address would remote systems get? Can you test it?

I believe it is possible to get OpenVPN set up so that more than one connection is possible. I didn’t go into it, myself, because all I needed was the one connection since I’m the only one who would be using it. The way I have set it up in this tutorial only supports a single connection, and the internal IP will always be the same.

I’m using the IP address of the PI in both of the spots marked in the file. They are highlighted above in this article. I know there are a ton of configuration options, and you can put your VPN on a different sub-net than your normal network clients, but that’s really beyond the scope of what I was doing. I just needed to get one person (me) onto the home network occasionally in order to reset or tweak something.

Worked right up until I rebooted then could no longer ssh into the pi to complete the process. I have tried openvpn following instructions on about 10 different webpages and can never get it to work. Do you have to have the pi have a wired connection(not possible for me as mine are all used )? So frustrating! I have spent hours on this to no avail. I wish they would make it easier.

Mine is wired, since its permanently placed next to the drives. I suppose there could be some interaction or incompatibility with a particular wireless dongle. I couldn’t say for sure, though, since I haven’t tried it myself.

In order to troubleshoot the issue, I would recommend moving something temporarily so that you can plug the Pi in directly. If everything works wired, but not wireless, then I’d start googling for your particular wireless dongle’s model number and OpenVPN. Hopefully you find something.

I can connect VPN interphase via windows 7 desktop (ie…get green connection icon), but do not gain access to VPN server. At the client or PI server I can ping 10.8.0.1 and receive packets, but not when I ping 10.8.0.2 or 10.8.0.0. it times out. So, I think the PI server is connecting with the VPN server but I don’t think I am receiving anything back from the PI server. I have port 1194 udp open, but still no joy. Any suggestions what could be the problem?

I don’t have it in front of me at the moment, but from what I recall, you shouldn’t need to go into good mode after rebooting. I’d check if there’s anything in the log files. You may have to do a search to find out where they are. I’m on my phone and won’t be home tonight, so I won’t be able to look into it right away.

I haven’t reset mine that way personally, but purge is supposed to remove configuration files. I back up the SD card before reach major step, and just reset the whole thing if anything goes wrong. Do you have a backup from before installing Crash Plan? ________________________________

Has any one had a problem using Open Vpn on a windows 8 computer, but have no problems accessing Open Vpn on your phone or tablet using an android OS? It has to be a security issue with windows but I can’t find it. Anyhelp or suggestions would be greatly appreciated.

When I write the article, it was using a Windows 8 machine, so I can say that it works. It’s a complicated setup process though, so any number of things could go wrong. If you could describe the problem, maybe it will sound familiar to someone who’s been there.

Thanks for the response and thank you for the great set of tutorials, they are awesome! I have learned a lot and enjoyed my new server immensely. My problem is when I try to initiate the handshake with the Open VPN program on my laptop I get the time-out error. What really perplexes me is that I can access my server via Open VPN through my phone and tablet with no problem. I am reluctant to change my configurations on my router or VPN file because I know they work. I think it has to be something with the configuration or security in windows 8.1. I have tried turning off the firewall, anti-virus but nothing seems to help.

Look at the section titled “Generate Keys”. There are instructions there for generating keys by device or by user. I’ve only been using it “by device”, myself, but this section should be what you need.

In nine or so years am I to repeat the entire process as the certificate will expire at that time? Can I use it w/ expired certificates? I know I have a long time before I need to worry but I was ripping hair trying to get the firewall to work so that I could see my server side lan from a remote client. Your guide was the best! I hope and pray that in ten years your blog is still up!

In nine or so years am I to repeat the entire process as the certificate will expire at that time? Can I use it w/ expired certificates? I know I have a long time before I need to worry but I was ripping hair trying to get the firewall to work so that I could see my server side lan from a remote client. Your guide was the best! I hope and pray that in ten years your blog is still up

I guess I wasn’t imagining this one server staying up that long. In a couple years, I assume we’ll be up to the Raspberry Pi 4, or some other miniature computer, and I will have moved on to that. I’ve already upgraded from a B to a B+, and now a 2B. I can’t help myself. New things are shiny. Also, I imagine that OpenVPN will have been supplanted by something else in that time.

If you’re still running the same server in nine years, then I guess you’d just have to run through the certificate creation steps again. You’d skip the installation steps, and just pick up at the configuration stage.

This is also one of those things that you could consider optional. I piles all these functions on the one Raspberry Pi just to see how much it could take, and I haven’t been disappointed. If I were being more practical, though, I’d have left the OpenVPN part to my router. With the dd-wrt firmware for my router, I could distribute the workload a bit, and let the router handle the OpenVPN part. I haven’t gotten around to flashing my router, but I probably will at some point.

In the step “Become a certificate authority”, when I enter the ./build-ca command I don’t receive any questions about information, and when I enter the ./build-key-server [NAME] command I don’t receive a prompt to sign the certificate. In both cases the output is:

Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.

I’m still pretty new to Linux and just got this Raspberry Pi the other day, so I apologize if this is an obvious fix.

Well, I’m going to guess that you either left one of the settings in the “vars” file unset, or didn’t actually run the “source vars” step. I’ve never intentionally skipped either part just to see what would happen, but the error message is clearly indicating one of those two possibilities.

Thanks for the reply! Looks like I had accidentally duplicated one of the lines in vars. Fixed it, and the rest of the steps went perfectly. Thanks again, I didn’t even know where to start. Works great!

Off the top of my head, I’d double-check that the IP address you put in Default.txt is your house’s EXTERNAL IP address (or dynamic IP name), not the 192.168 address inside your house. After that, check that your router is forwarding port 1194 to the Pi.

Hi Mel,
Great video on Pluralsight. But I do not understand why the TLS is not working as shown in the copy of my log below. I set the port forwarding on my router. I also followed the nat-rules.sh from the pluralsight video. I feel that I am super close, but I get this.

Mel – OUTSTANDING tutorial! I followed it to the letter and reinstalled my OpenVPN service on my Pi. It had completed successfully the ReadWrite tutorial in Jan 2015, but had to reinstall and this time the ReadWrite instructions didn’t work for me. But your instructions were perfect. The only issue I had was that the “cp /etc/openvpn/easy-rsa/keys/NAME.ovpn /mnt/data/” command didn’t work for me … the Pi couldn’t copy the files. So I used the ReadWrite chmod commands (first with 777 and then with 600) to unprotect the OpenVPN folder, copy the profiles with WinSCP, then reprotect the folder. Thanks, again, for an outstanding tutorial. @ArduinoGuy

Maybe I am just missing something, but when I come to the point where I have to move the NAME.ovpn file I get “no such file or directory” as feedback. I checked the name several times and when I look at the keys directory via “ls” there is not a single .ovpn file

So, what did I miss? Do I have to do something to run the Script besides the cd command, thats hidden in the Text?

Hi Mel, excellent series you’ve got here, I’m really learning a bunch. I was wondering your thoughts on the intrinsic benefits of using the Pi over my router’s own VPN capabilities. I can’t find any articles where people really compare the two. I’m wondering if the way to go for me is simply use my router’s VPN capabilities, lightening the load of the Pi. What sorts of questions should I be considering? Many thanks!

If your router can do it, I’d let the router handle it and spread out the work a bit. The Raspberry Pi can do a lot of things, and it can do them well, but the more it tries to do at the same time, the more they all suffer. Also, OpenVPN isn’t as universally supported as some of the on-router options.

Mel, I am trying this on a new RPi 2. WHen I install the OpenVPN and OPenSSL packages it all works okay, but when I try the cp -r /usr/share/doc/openvpn/examples…. command, there is no easy-rsa folder at that location. Has something changed with the latest OpenVPN or am I missing something?

Without running through it all again, I don’t think I could make s good enough guess. It’s possible that something has changed with the distribution. I won’t have a chance to look before next weekend, unfortunately. Try looking around the directories by hand and see if it’s changed locations. I’ll hopefully be building a new server using the new Raspbian Jessie image next weekend to see what’s changed or broken. If you find the files, out a step that was missed, please let me know.

From what I have found, EasyVPN is no longer part of the OpenVPN project, but has been separated out. The current Master branch on the project is version 3.0. So it now appears that you need to install it separately. I’m just new enough with this to not want to try a lot of “discovery” without some sort of previously working model, or I will mess things up 🙂

That is not one I’ve heard before. It’s always possible that a recent update to openvpn has invalidated my guide, but I’d have to go through it all again to be sure. I’m hoping to do that this weekend. I’ll post an update if I find anything.

I figured it out as a corrupted SD Card! it kept reverting to 26th Aug each time i rebooted – I found a few articles about when SD cards go bad, they “stick” to a certain point – i even placed the card in a windows laptop and tried to add a file only for it to disappear once i reinserted the card!

Your guide is spot on so don’t worry – i think its just my sd card – which i have now replaced ( it was always a bit dodgy, only booting 1 in 6 times successfully )

If I were to cover another VPN, it would probably be something more like ikev2 or l2tp, the sort of thing built into most smartphones. The biggest inconvenience with openvpn has been that phones don’t understand it, at least not without a lot of work. Android may be different, I don’t know. As for the email server. I’m sure it could be done, but it’s a little beyond the needs of most home users and requires you to have your own domain. I’ve set up my server to use Gmail to send me notifications when needed, which does the trick for me.

Softether VPN Server can be accessed via Android and Windows / Windows Phone with no client VPN software required and the setup scripts make it super easy to install and configure It supports l2tp, OpenVPN and other protocols as well.

As for the email, I am running my email server on a Raspberry pi using a No-IP dynamic DNS service by settings the MX record on my account (Free account) and I can get email in and out.

Have you any advice on how to set this up for a chromebook?
I have been using this for windows machines for smetime and with great success but I think the setup may have to be different for chromebooks?

Any number of things can cause this. It’s not a very specific error message. I’ve seen this one myself, and it was because I’d used the internal IP address (192.168…) when setting up the Default.txt file instead of the external IP address of my router. Closed firewall ports could cause this error too. Basically it just means “no one answered my request”. I’d go through the article again very carefully double-checking each step. You will most likely find some small detail like internal vs external IP address. I’m currently rebuilding my real home server using the Jessie image, so if I find anything truly wrong, I’ll update the article.

Thanks for the great tutorial (I’m in the middle of the Pluralsight course now and it’s wonderful!). Quick question, though…I’m currently using a Raspberry Pi B+. If I decide to upgrade to a RPi 2, can I use the same certs in the easy-rsa directory, or will I need to regenerate everything from scratch? Sorry if it’s a noob question, but this part of the Pluralsight course was by far the most difficult and I would hate to have to do it over again if I didn’t have to.

I’ve swapped as cars between current models before, but not on a system running openvpn. I don’t think the keys are tied to the hardware, so I think it should work just fine, but please let me know what you find out. If there is a problem, I still don’t think you’d have to re do everything, just perhaps generate a new set of keys, which is pretty easy using the scripts.

I have followed your instructions, but I am left with the following message when i run /etc/init.d/openvpn start
[….] Starting virtual private network daemon: serverEnter Private Key Password:

I have successfully made one of these following your instructions before and i never got this message. restarting openvpn service always resulted in success.

thoughts?

also, running nmap -p U:1194 [ipaddress] comes back with no results.
changing the port to tcp instead and running nmap -p 1194 [ipaddress] worked on a previous attempt ONLY AFTER adding…
iptables -I INPUT -p udp -m udp –dport 1194 -j ACCEPT
…to firewall-openvpn-rules.sh and restarting openvpn service (that was on Jessie, now i’m trying on Wheezy again). I have not been able to replicate the original successful VPN server.

that they do.
thank you. i appreciate it.
this will be my weekend work.

the Enter Private Key Password issue may be a bug with Wheezy and may be fixed in Jessie, but then that brings me to the same kinds of issues i was having…

While on Jessie with OpenVPN, the iptables rules seemed to load, but the OpenVPN service wouldn’t accept them until the service was restarted. This got me thinking about how to go about scripting a delayed service restart after boot. Or instead just delay OpenVPN service from starting altogether.

Mel – I followed your excellent how-to above last year and have been enjoying my home based Pi VPN ever since! Unfortunately while on vacation recently, my house lost power in a storm so the Pi VPN server lost power without being shut down properly. Now the Pi VPN server doesn’t respond to connection attempts from outside my home network. I’m not a Linux or Pi expert, so I’m hoping you can suggest what files or settings or something else to check so that I don’t have to rebuild the entire server from scratch. Thanks for any and all advice and for your wonderful how-to.

Well that’s not much to go on, really. Are the other functions working, or is this a dedicated VPN server? If everything else is working, or VPN is this Pi’s only job, then you could try reinstalling OpenVPN. I’m not sure if keeping the existing key files around will work or not, but I would suspect it would. One thing that changed since the original article is the recommended key length. Current installations default to a 2048-bit key, which will take a LOT longer to generate. If you reinstall, you’ll also need to adjust the “server.conf” file to match. On the 8th line, change dh1024 to dh2048. This is only if you do a new install, though. Otherwise, can you tell me any more about what its complaint is?

Thanks for the response, Mel. The Pi is ONLY running the VPN software as described in your how-to. When I tried to connect to it with my Android phone or my iPad (both running the OpenVPN client) after the power outage, the client software searches out the permanent dns service (I used duckdns.org) and then displays the “waiting for server to respond”. It doesn’t get a response from my Pi VPN server so it tries a few more times then times out. I know this isn’t much to go on but thought I’d ask here if there were any obvious Linux command line commands to issue to check connections or active VPN server running or or or … again, my aplogies but I’m not a Linux guru. I’m willing to go back through the entire installation again but was hoping there were a few “obvious” things to check first. Thanks if you have any suggestions.

The four things I can think of off the top of my head are:
1) The port forwarding on the router has stopped working. I wouldn’t expect that from a power outage, but let’s work from the outside in.
2) The Pi’s own firewall has stopped letting the traffic in. Just work through that section of the post again, checking all of the files that got edited there.
3) OpenVPN didn’t auto-start. Check the status of the service.
4) The Pi didn’t get the same IP address as it had before the power outage. Have you either set up a static IP address on the Pi, or given it a permanent IP lease on your router? Check “ifconfig”, and see what address the Pi has. Does it match what the router is forwarding the OpenVPN traffic to?

There’s also the possibility that the sudden power outage just plain corrupted the SD card. Did you make a backup? Can you restore that? It might also be worth looking into adding a UPS. I made a couple posts about using a UPS with Network UPS Tools (NUT). You can even run several Pis off the same UPS, allowing them to shut themselves down gracefully when the power goes out.

Mel – thanks for the great suggestions. Port forwarding was still set up fine. There was no issue with the Pi’s firewall. OpenVPN service was still running fine. And the pi reported the same IP address still that the router was told to assign to it. But, I finally figured out the issue so now have a 5th one you can recommend to others in the future.

It turns out that my dynamic DNS service (the very good and free DuckDNS.org) did not know that my ISP had changed the IP address assigned to our house. I have to assume this happened very close to the power outage in my area of where I live. Before this issues, I’d never had any problems with my dynamic DNS knowing the public IP address of my house … I had successfully installed the proper script file as instructed by DuckDNS (duckdns.sh) into the right folder and had cron regularly running that script every 5 minutes to keep DuckDNS updated on my home’s public IP address. I assume that the power outage interrupted this process, but I can’t explain why (especially once I rebooted the pi once I returned from vacation). I confirmed that the script contents were still accurate and that cron had the script properly entered in it’s list of services to run. Anyway, I executed the script manually at the command prompt today and DuckDNS.org instantly knew my home IP address again. I just confirmed that I have access from outside my network.

If you or any of your OpenVPN users/fans know why and how the power outage could cause a cron job to stop running automatically once a pi is restarted after a power outage, I’d love to hear it.

Mel: Your tutorial has been great. I have my server running on my net with two hard drives. However, I can’t get past the certificate building step for Open VPN. I have skipped from Samba to VPN. Is there anything in the DLNA/BitTorrent/CrashPlan steps that could affect this? Here is the error I keep getting when I try to build the certificate.

root@RPiServer:/etc/openvpn/easy-rsa# ./build-ca
error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
1995774048:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198

I have not seen this error, and I just re-did my own OpenVPN two weeks ago, so unless they’ve updated since then and broken something, I don’t have anything off the top of my head. I did do a quick search on the error message and found a number of people saying that the script needs another key added at the end. Add the following variable down where the other keys are defined at the bottom of the vars file.

export KEY_ALTNAMES=”foo”

Foo can be anything, I guess. Then go back and start at the “source vars” step again. Let me know if that clears it up.

My windows 10 laptop receives IP address 10.8.0.6, and can ping the RPi on 10.8.0.1 and also open WebMin on 10.8.0.1:10000, but no connectivity to any network resource (including the RPi itself) on the home LAN 192.168.0.x IP range. Also there is no routing (cannot ping any other 192.168 ip, nor resolve dns, nor browse internet).

Name resolution not working is perfectly normal. As for the lack of routing in general, I’ll have to try a few experiments. There is one thing that is always a problem with 192.168… addresses, though. If the network you’re connecting FROM is also using 192.168… addresses, they’ll get in the way. You seem to have already addressed this though. I usually only use the VPN to connect and make a change, or retrieve a file that’s on the server itself. I know for sure that I’ve connected to my own router (192.168.1.1), through the VPN, though.

The problem here is that I do not truly understand what these commands do, and as such am worried about deviating from your tutorial (also from the pluralsight course). I am starting to wonder whether it was necessary and may revert to your one-line script from the tutorial and try again.

I also changed server.conf: commenting out line 1:
#local 192.168.0.XXX # YOUR PI’S IP ADDRESS
I found this on another tutorial site. With the line left in the script, openVPN service does not start when the rPi does, but “sudo service openvpn restart” gets it going. With the line commented out the service starts with the boot-up. Most odd. (rPi model 3)

Would you by any chance be able to help me get OpenVPN running between my Pi and Windows 10 machine? I followed your instructions on the Pluralsight to the letter, substituting my own external IP, Pi IP, and names and passwords as necessary, but I get the generic “TLS handshake failed” error that a few other people have mentioned. My Netgear router has dd-wrt, so I went to the services-> VPN tab to enable an OpenVPN client, added my Pi’s address at 192.168.1.125, used port 1194, the default, used TUN as the tunnel device (the only two options are TUN and TAP), and I used UDP as the tunnel protocol (the only options are UDP and TCP). I’ve tried different combinations of TUN/TAP and UDP/TCP, but I get the same “tls error: tls key negotitation failed to occur within 60 seconds” error message each time. This is when I disconnect from my home Wi-Fi, unplug the Ethernet cord on my laptop, and connect to my Apple iPhone’s wireless hotspot. My Pi is connected via Ethernet, and is running just fine on its own and when connected through Putty.

By the way, the server.conf file in your post above has a line of code saying, “dh /etc/openvpn/easy-rsa/keys/dh2048.pem.pem”, and in my server.conf file on the pi I changed it to “dh /etc/openvpn/easy-rsa/keys/dh2048.pem”, without the extra .pem. I don’t know if truncating the extra .pem makes a difference on the successfulness of the OpenVPN connection.

I was able to fix my crashplan not starting issue after installation in the previous module. Even though when I typed “sudo service crashplan start” after a successful install, I received the error message “Failed to start crashplan.service: Unit crashplan.service failed to load: No such file or directory.”, I simply did a reboot and did the exact same command again and this time received a successful confirmation that Crashplan was running. I’m able to use it to backup files on the Pi and my main laptop now, which is nice.

The extra “.pem” would be a typo. I’ll have to get that fixed. The first thing to try, if you haven’t already, it to restart the Pi. I know it made a difference when I was setting this up. Restarting after completing the installation seems to be necessary. If I could make a suggestion, though. dd-wrt has its own built-in OpenVPN support. If you can use that, I would just to distribute the workload across multiple devices that are there already anyway. You CAN put all of the items from this blog series on one Raspberry Pi, but it’s not going to like it very much. Some programs, like CrashPlan, tend to hog the memory, and make things harder on other things. The reason it works in general is that the odds of you re-indexing the media collection while in the middle of backing up a bunch of other computers is rather low. Still, I recommend distributing whatever you can. My CrashPlan has its own dedicated server (The CrashPi). Everything else is running on my main server, though.

Speaking of CrashPlan? Code42 pushes out regular updates to CrashPlan now, and every time they do, it stops working, and you have to repeat all the patch steps, replacing .so files, re-establishing symbolic links, etc. It’s really gotten to be a major pain. It used to go up and stay up, but that’s no longer the case. Be prepared to have to hold its hand and fix it on a regular basis, unfortunately. This is a more recent development, and didn’t make it into the PluralSight course, even with the last round of updates I pushed out.

I’m following your tutorial on PluralSight (which is great by the way) and I’ve got to the point of creating client key but I keep getting the error below…

root@raspberrypi:/etc/openvpn/easy-rsa# ./build-key-pass xxxxx
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.

Not sure whether i need to follow the instruction in the error message. I did some research and in places it says that it’s a permission issue. Not too sure. Any suggestions?

Walk back through the instructions in the course or on the blog. A couple steps back, there was a section that included the command “sudo su”, which puts you in a semi-permanent root state. It looks like you’re still in that state, judging by what you copied in above. That’s good. The next thing after “sudo su” was “souce ./vars”. Make sure you’ve done that. If you have, then back up a few more steps to where you edited the vars file with “sudo nano /etc/openvpn/easy-rsa/vars”, and filled in the export values at the bottom. Note: the values may be slightly different, or in a different order in the current version. For instance, the email address doesn’t appear twice anymore. Those should be all the steps to make it happy.

To recap:
1) Edit the vars file, and fill in appropriate defaults
2) “sudo su” to act as the root user
3) source the vars file to make it “stick” for the duration of this particular session as root
4) “./build-key-server NAME” to build the key server
5) “./build-key-pass NAME” to build the named key

and then continue on with the instructions. My guess is that you may have dropped out of being root at some point, and although what you copied above shows you being root, you have to have “sourced” the vars file within the same session or it doesn’t stick. Leaving and re-entering root mode will have forgotten what you “sourced”.

Is anyone else having problems with this setup recently? I have had this set and working for a long time. I didn’t change anything, but something now is broken. I have tried reinstalling from scratch, but still am unable to connect. I also tried installing using port 443/TCP. Maybe something with a recent Jessie update?

Mine is still working fine. The only issue I have is that my automatic updating of my home’s IP address to duckdns.org isn’t working so I have to update that manually when the home’s IP address changes.

I figured out that my ISP switched to a ‘carrier NAT’ (?) system of assigning private (not public) IP address due to the high cost of remaining IPv4 addresses. I’m not sure if openVPN will be compatible. If anyone has any ideas, I’m looking for help! Thanks.